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Abstract 

■ We show that the insecurity claim of the an cryptosystem made by C. Ahn and 
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K. Birnbaum in Phys. Lett. A 370 (2007) 131-135 under heterodyne attack is based 
on invalid extrapolations of Shannon's random cipher analysis and on an invalid 
statistical independence assumption. We show, both for standard ciphers and an, 
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that expressions of the kind given by Ahn and Birnbaum can at best be interpreted 
as security lower bounds. 
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In pQ , Ahn and Birnbaum claim to establish, by an approximate analysis, the 
information-theoretic insecurity of the arj encryption system [2|3P] even for 
ciphertext-only attacks in which Eve makes heterodyne measurements followed 
by classical processing. While information-theoretic security in the asymptotic 
limit against such attacks has been claimed by us to be unlikely in |3,5J, the 
main purpose of this comment is to show that the arguments of [lj do not 
establish insecurity of either the asymptotic or finite cases. We prove the 
asymptotic insecurity of arj ciphertext-only attacks conjectured by us in [3|5] . 
and comment on its lack of practical significance. We also give some new 
lower bounds on the average number of spurious keys of arj and other random 
ciphers. 

In Section 1, we describe the claim of pQ in the light of known results and 
conjectures to explain that, despite its quantitative appearance, they have 
not given a precise claim that can in principle be falsified. We also summarize 
our position regarding Shannon's random cipher and the claims of pQ. In 



Email address: nair@eecs.northwestern.edu (Ranjith Nair). 



Preprint submitted to Elsevier 



19 November 2008 



Section 2, we review the concepts of 'unicity distance' and average number 
of spurious keys Nk of a cipher and the available results on them in the 
standard cryptography literature. In Section 3, we extend these results to 
random ciphers like ar]. In Section 4, we critique the analysis of Ahn and 
Birnbaum in detail. We also show that their approximate expressions can be 
replaced by rigorous lower bounds (rather than approximate equalities) of 
similar form in the light of our results of Section 3 and that these bounds 
cannot be used to argue insecurity of any cipher. We also show that, for ar], a 
true unicity point is never reached for finite n under known-plaintext attacks, 
making it more information-theoretically secure than standard ciphers at least 
for those attacks, contrary to the claim of pQ. Some concluding remarks are 
given in Section 5. 



1 Background and the Claim of [T] 

Some specific security analyses and claims on ar] have been given in [213T4T5*] . In 
particular, we have expressed [315] our belief that ar] in its original form is not 
information-theoretically secure under ciphertext-only and known-plaintext 
attack for large enough n. Let H(K\Y n ) be Eve's key uncertainty given the 
n- length ciphertext Y n . In other words, we claimed without a proof that, even 
for ciphertext-only attacks, we would have 



We sketch a proof of this result for ciphertext-only attacks here. Since statis- 
tical and known-plaintext attacks give Eve more information, ([1]) should be 
expected to hold for these attacks as well. An LFSR gives a periodic output 
of period 2'^' — 1 bits. In consequence, observation of the heterodyne attack 
output over each such running key period provides Eve with successive ob- 
servations of the same key corrupted by independent noise coming from the 
totally random data. At worst, Eve can make her optimum estimate of the 
key in each period and take a majority vote at the end. Intuitively, her prob- 
ability of success goes to unity as the number of periods goes to infinity in 
the same way as the average of many measurements of some quantity with 
independent noise in each measurement tends to the true value as the number 
of measurements goes to infinity. 

Note however that eq. (QP has no practical implication on the security of ar] 
in real use since it is merely an asymptotic statement; see the discussion in ref. 
[2]. In particular, the PRNG embedded into ar] is not to be used longer than its 
period 2 L as in the case of standard ciphers, where L is the register length, thus 
rendering the above insecurity argument inapplicable. For this reason, and the 
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fact that the attack just mentioned is hugely inefficient, we have not gone into 
a detailed proof. Ahn and Birnbaum in [1] implicitly make the same claim (TO 
along with a purported proof based on analogy with Shannon's random cipher 
[01 • We stress that the argument just given is completely independent of that 
of Ahn & Birnbaum, who provide no evidence for it beyond the analogy with 
Shannon's random cipher, regarding which we will outline our position below. 

Against this background regarding (JT]), the only new claim with any quanti- 
tative justification in [II is their approximation 



where He(K) is Eve's equivocation on the key, L the seed key length, Q the 
length of the data sequence, and U their upper bound on Eve's information 
per data bit. By analogy with the Shannon random cipher, the authors then 
claim "Eve can determine K with high probability when .." 



and thus "the ar] protocol is worse than the simple additive stream cipher" . 

We find the extrapolation from (2) to (3) completely unwarranted and that (3) 
itself has no more clear meaning than (1). Firstly, since there is no commonly 
agreed meaning of the symbols "~" and "-C" , these statements are not well- 
defined. As they stand, they cannot be falsified, the possibility of the latter 
being the hallmark of a meaningful scientific statement. More significantly for 
our purpose, there is no reason why (2) is a good approximation in any sense 
while there is reason to think that it is not, as we will show in detail in this 
Letter. 

Ahn and Birnbaum's argument supporting (j2J), which is a heuristic one and 
not a proof, is again based on a Shannon random cipher analogy which they 
suggest would be applicable if the PRNG used satisfies a certain pairwise 
independence condition between any two running key values. 

On the one hand, we discuss in detail in Section 4 why their pairwise inde- 
pendence condition is unlikely to lead to an approximate satisfaction of (j2J) in 
whatever sense and degree they mean, which they have not specified. 

On the other hand, we argue that an appeal by analogy to Shannon's ran- 
dom cipher ensemble cannot establish insecurity of any concrete cipher. Since 
Shannon's argument uses a large ensemble of ciphers, the average behavior of 
this ensemble cannot be expected to resemble that of a given concrete cipher. 
In consequence, we would not consider any security or insecurity claim that is 
essentially based on a Shannon random cipher analogy to be reliable. While 



H E {K) ^L-QU for Q < n = L/U, 
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Q(U + 1)^>L + H E (K) 



(3) 
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we have not examined the issue in detail, we believe that the agreement to 
this model observed by Shannon for his 'unicity distance' for some concrete 
ciphers for encrypting English is likely the result of the very special statistics 
of English (or any other natural language) that make any cipher encrypting 
English text quite weak. 

However, we attempted to extract the possible meaning and identify the possi- 
ble validity of the claim (T2]) above. It turns out that such a possible rendering 
of (EJ), similar in form but not in content, has been given before [7f8] for 
nonrandom ciphers without the necessity of appealing to Shannon's random 
cipher assumptions. In Section 3, we extend the results of Hellman [7j and 
Beauchemin and Brassard [8] (HBB) to random ciphers (in the sense of Sec- 
tion 2 (see also [3]), not that of Shannon) like arj and analyze it along this 
rigorous rendering, different though it is from Ahn and Birnbaum's claim. 



2 Average number of Spurious Keys Nk and 'Unicity distance' 

The general form of a random cipher consists of an encryption map Ek{ ) 
applied by the sender Alice to a plaintext n-sequence X n = X\ . . . X n of sym- 
bols each picked from an alphabet X resulting in a ciphertext n-sequence 
Y" )]...)„: 

Y n = E k (X n ,R n ). (4) 

with the ciphertext symbols belonging to a possibly different alphabet y. 
Note that the encryption map is indexed by the secret key selected randomly 
from a possible set of values K, and known only to Alice and the receiver Bob 
and that the ciphertext is not determined by the key and plaintext alone but 
rather requires an additional random variable R n generated by Alice for its 
complete specification. The key length \K\ is typically of the order of a few 100 
bits for standard ciphers like the Advanced Encryption Standard (AES). The 
ciphertext may be openly read by the eavesdropper Eve before reaching Bob, 
who applies a corresponding decryption map -Dfc(-) to recover the plaintext: 

X" = D k (Y n ). (5) 

Observe that the decryption map must function without Bob knowing R n . 
Further details on random ciphers may be found in [3] - we note here that a 
random cipher usually uses a larger ciphertext alphabet so that y ^ X - the 
former may even be continuous as it is for at] under heterodyne attack. 
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Fixing a particular attack on a given cryptosystem, random or otherwise, 
means that the eavesdropper Eve is assumed to know the joint probability 
distribution Pr[X™Y n .fr] of the plaintext, ciphertext, and key, and is in pos- 
session of the corresponding ciphertext random variable Y n . In the case of 
off], where information is coded into quantum states, one must additionally 
specify a quantum measurement whose result becomes the ciphertext Y". In 
the case of arj under heterodyne attack, X = {0, 1} and y is M. 2 or C since the 
heterodyne measurement gives two real numbers. Actually, only the argument 
of the complex number result is useful to Eve and thus y may be taken to 
be the circle S 1 . In this Letter, we will consider only information-theoretic 
security (IT security) and allow unlimited computational power to Eve. 

In the cryptography literature, beginning with Shannon [6], the L unicity dis- 
tance^ has been proposed as a measure of IT security of a cipher. The concept 
may precisely be defined as the smallest length of plaintext for which only one 
key value can lead to the observed ciphertext, thus marking the point where 
the system is totally broken. Unfortunately, for most data statistics, there is 
never a point where the key becomes fixed with probability one and the choice 
of a particular unicity point involves an implicit choice of a probability that is 
viewed as 'small enough' and must, in our opinion, be specified in any insecu- 
rity claims. In [6J, Shannon estimated the unicity distance of an ensemble of 
ciphers satisfying certain ideal conditions that are in general not satisfied for a 
given cipher. Even for Shannon's random cipher (Throughout this Letter, we 
will use 1 Shannon's random cipher 1 to denote the ensemble of ciphers defined 
in [6] and 1 random cipher 1 to denote any cipher of the form of Eq. (j3J). The 
reader should keep in mind that they are completely different concepts), there 
is no point where the key is fixed with probability one. However, the proba- 
bility that the key is erroneously determined by Eve at a designated 'unicity 
point' can be calculated for this has been done by Hellman in [7J 

(see Theorem 1 and Corollary 1 therein). This probability calculation appears 
extremely difficult to do for any concrete cipher, random or otherwise. 

In view of the generic non-existence of a true unicity point for a cipher, we 
prefer to work with a closely related concept defined by Hellman [7J for this 
reason and used also by Beauchemin and Brassard [Sj. This is the average 
number of spurious keys Nk seen by the attacker that we define below following 

m 

Under a given attack, for each ciphertext y, we define the set K y as: 

K y = {keJC I Pr[D fc (y)] > 0}. (6) 

Thus K y is the set of keys that could give rise to the observed ciphertext y. 
Since only one of these keys is the actual one used, the number of spurious 
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keys iVfc(y) is 



N k {y) = \K y \ - 1. 



(7) 



The average number of spurious keys N k is defined to be the expectation of 
Nk{y) over Y: 

iV fc = £Pr[y]iV fc (y) (8) 



Since each iV fe (y) is non-negative, if N k = 0, N k (y) = for all y and the 
cipher is broken with probability one. 

It is significant to note that a unicity distance no(p), which gives the short- 
est data length no from which Eve could determine the key with probability 
p, is a useful operational measure of security that one may try to determine 
numerically or bound analytically for various types of attacks. Some special 
p cases have been obtained previously for known-plaintext quantum joint at- 
tacks [H] that yield the fundamental security limit. It is also meaningful to 
evaluate n (p) under heterodyne or other attacks. Indeed, this is being pur- 
sued by different groups in Europe, Japan, and the US on ar\ and similar 
cryptosystems. 

We stress here that we do not consider N k by itself to be an operationally 
meaningful IT security measure, although it may well provide bounds on such 
a measure. Among its drawbacks are the fact that the cardinality alone of 
each set K y defined above gives no feel for the numerical probabilities of its 
elements. In addition, the operational meaning of averaging over y may be 
questioned. As an example of an operational security measure closely related 
to the unicity distance n (p), we suggest the following 'II— function' defined, 
as a function of the data length n for a given attack on a given cipher as: 

U(n) := max max Pr[/dy n l. (9) 



Thus, Il(n) is Eve's probability on the most likely key maximized over all 
possible ciphertext observations of length n. As such, for a chosen e, if it 
can be shown that II < e for the data length of operation, the user can be 
guaranteed that the system is broken with a probability not greater than e 
no matter what observation Eve gets. In this Letter, we do not study the II- 
function as a security measure since the results on N k , both those available 
and those proven here, are closer in spirit and content to the claims of [lj 
and are sufficient to point out the inadequacies in their arguments. N k can be 
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estimated exactly for the Shannon random cipher and equals (see [7]): 



N k = {2 




n.D _j_ H(K)-nD 



(10) 



where D is the per symbol data redundancy in bits, i.e., 



D:=log 2 (|*|) 



H(X n ) 



(11) 



n 



Note that N k never becomes exactly zero, so the cipher is never broken with 
probability one. However, Shannon took the point where N k = 1 to be the 
'unicity distance' n , so that n = H(K)/D using the approximation in Eq. 



For the case of an arbitrary endomorphic nonrandom cipher, i.e., one for which 
X = y, the following result due to Hellman and Beauchemin and Brassard 
holds (see [8]): 

Theorem 1 (HBB result) For any nonrandom cipher with X — y, 



Note that, in contrast to Eq. (fTUj) . the RHS of Eq. ffT2"j) can reach zero. However, 
since Theorem 1 gives just a lower bound on Nk, the vanishing of its RHS 
does not establish insecurity in any conceivable definition. The approximate 
equality of the right-hand sides of (fTUl) and (|T2|) led Hellman [7J to state that 
Shannon "random ciphers are essentially the worst possible" in the sense of 
having the lowest possible N k - 

Under some restricted assumptions that we do not get into here, Hellman goes 
further and gives upper bounds on the probability that < m for any integer 
m. These can obviously be translated into lower bounds on the probability that 
N k > m. We do not give the expressions here, because the important point in 
our context is that, to judge the insecurity level of a cipher, we would rather 
be interested in upper bounds on the probability Pr[N k > m] which are not 
available in the analyses [7J and [8] or elsewhere. 

In sum, the available results on N k for nonrandom ciphers are only lower 
bounds. As such, they cannot in principle be used to establish insecurity of a 
system, but may conceivably be used in conjunction with a meaningful security 
measure to ensure a certain security level. 



(HDD. 



N k > 2 



H(K)—nD _ j 



(12) 
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3 Lower Bound on Np. for Random Ciphers 

The HBB result quoted above can be extended to include random ciphers with 
arbitrary ciphertext alphabet y, including continuous alphabet ciphers such 
as arj. We prove the extended lower bound in this section. 

We need the following lemma that is easily established from standard proper- 
ties of entropy and mutual information: 

Lemma: For any cipher with plaintext sequence X n = X\ . . .X n , ciphertext 
sequence Y n — Y\ . . . Y n , and key K, with arbitrary plaintext alphabet X and 
arbitrary ciphertext alphabet y, random or non-random, 

H{K\Y n ) = H(X n ) + H(K) - I(X n K; Y n ). (13) 

Theorem 2: For any cipher with plaintext sequence X n = X\ . . . X n , cipher- 
text sequence Y n = Yi . . . Y n , and key K, with arbitrary plaintext alphabet 
X and arbitrary ciphertext alphabet y, random or non-random, 

D is defined as before by Eq. (fTTj) . Theorem 1 can be recovered from (Tbil) by 
observing that I(X. n K; Y n ) < n\og 2 \y\ = \X\ when X = y. 

Proof: We proceed as in [8]. We have 

H(K\Y n ) = Pr[y]H(K\y) < £ Pr[y] log 2 (iV fc (y) + 1) (15) 
y y 

<\og 2 (J2 Pr[y](iV fe (y) + 1)) = log 2 (iV fc + 1). (16) 
y 

The inequality (15) follows from the definition eq. ([7j) of Nk(y) and (16) from 
the concavity of the log function [TO]. The result follows on substituting for 
H(K\Y n ) using Lemma 1 and exponentiating both sides. ■ 

The necessary and sufficient conditions for the inequality of Theorem 2 to 
be satisfied with equality are:-The keys in the set K y must be equiprobable 
for everyy and \K y \ must be the same for all ciphertexts y. Intuitively, these 
constraints would not be satisfied for an arbitrary cipher, so the lower bound 
cannot be expected to be tight without a detailed analysis on the given cipher. 
We have thus extended the HBB result to random ciphers and observed that it 
is still just a lower bound on the average number of spurious keys and cannot 
therefore provide a basis for an insecurity claim. 
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4 Application to ar] and the analysis of Ahn &; Birnbaum 



We assume the description of the ar] cryptosystem to be familiar to the reader 
from p] - we use essentially the same notations here. Further details on the 
system may be found in [2f3f4"]l5] . 

In order to estimate the lower bound in Theorem 2, one needs to estimate 
I{X. n K; Y n ) for the cipher being studied. For ar], it is useful to define a signal 
random variable S n = S± . . . S n as 

S n = f {n) (X. n ,K), (17) 

where is simply the function of the data n-sequence and the key that out- 
puts the corresponding n-sequence of signal angles on the coherent state circle. 
/( n ) depends on the particular PRNG (denoted ENC hereafter to conform with 
usage in earlier papers) used, but its explicit form does not concern us here. 
Each Si is an M-ary random variable. Now the ciphertext Y n = Y± ... Y n is 
the n-sequence of continuous- variable heterodyne measurements made by Eve, 
and may be represented as 

Y n = S n + R n , (18) 

where R n = R\ . . . R n , and the {Ri} are independent identically distributed 
random variables having an approximately Gaussian distribution with zero 
mean and standard deviation o = jr^, N being the mean photon number of 
each transmitted coherent state. They represent the heterodyne measurement 
noise of each symbol i. For this two-step model of generation of the ciphertext, 
note that, for each i, (XiK) — > Si — > Yi is a Markov chain, and hence so is 
Yi -> Si -> (XiK) and consequently, Y n -> S™ -> (X. n K). Therefore, by the 
data processing inequality [10J , we have for all n, 

I(X. n K; Y n ) < J(S n ; Y n ). (19) 

Let us denote the running key sequence emitted by an arbitrary ENC seeded 
with a seed key of length | K\ by K' = K[ . . . K' n . . ., where each K[ is of length 
log 2 (M/2) bits - the length needed to choose a basis on the coherent state 
circle. It is clear that the {K^}, 1 < i < n cannot be statistically independent 
beyond a certain n if each segment of the running key has a uniform marginal 
distribution (as is the case for a pseudo-random number generator), since the 
seed key entropy is limited to \K\ and the running key is a deterministic 
function of the seed key. This fact shows that, for an arbitrary ENC, there 
exists a running key length nj eD measured in running-key symbols, beyond 
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which {K' { }, 1 < % < n are statistically dependent, and that 

n dep < \K\/\og 2 (M/2) (20) 

for an arbitrary ENC. ^ de p is referred to as the 'dependency distance'. When 
a linear feedback shift register (LFSR) is used as an ENC, knowing any \K\ 
consecutive bits of the output running key fixes the seed key and vice versa. 
Therefore, for an LFSR, n dep = |if |/log 2 (M/2) = n dep (LFSR). Note also 
that if the {K' { }, 1 < i < n are statistically dependent, so are the signal 
random variables {Si}, 1 < i < n. 

4-1 Ciphertext-only heterodyne attack 

Consider first the case of ciphertext-only heterodyne attack on an, for which 
D — 0. Also the plaintext alphabet size \X\ — 2 for arj. Ahn and Birnbaum 
calculate in [I], a quantity U, that is, in our notation : 

U = I(S i ;Y i ) Vi. (21) 

This definition makes sense for the LFSR case (it needs a proof in the general 
case) because the {St} do indeed have the same (in fact, uniform) marginal 
distributions for each i when the plaintext is uniformly random. It is also true 
that I(S n ; Y n ) = nil for all n < ra de p because, for such data lengths, the 
i-th signal symbol in the n-sequence is statistically independent of the rest as 
mentioned above. However, this information estimate that is linear in n is not 
valid beyond the dependency distance because the running key has correlations 
beyond w^ep' ^ ne ar g umen t i n DP that the "pseudo-random number generator 
redistributes Eve's prior probabilities back to the flat distribution for each 
new symbol" merely makes U of Eq. (12"T|) well-defined but does not justify the 
above estimate. It is the joint probability distribution of the {Si} that goes 
into the calculation of /(S n ; Y n ) and not the marginal per symbol probability 
distribution. In fact, it follows from Theorem 4.2.1 of [10] that 

I(S n ;Y n )<nU Vn > n dep , (22) 

and the inequality is strict because the {Si} are not statistically independent. 
Even if I(X n K; Y n ) is taken to be equal to J(S n ; Y n ) (see (jlS]) ). the claim in 
[1J that the former quantity increases linearly up to n = \K\/U cannot be 
true. Note that U tx \ log 2 iV+1.6 < log 2 M in the regime a = M/(2y/N) > 1 
assumed in the calculation of [1] and thus n 3> n^^LFSR), and thus we are 
already well into the region where (1221) is a strict inequality. This argument is 
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unchanged for a general ENC by virtue of the inequality (|20|) - the running-key 
dependency sets in not later than it does for the LFSR case. 

The key argument which to them would make Shannon's random cipher anal- 
ysis in the form of Eq. (2) (or equivalently, Eq. (1221) in the form of an equality) 
applicable is that for two different running key segments k s and k q at the out- 
put of the PRNG ".. values of K which have similar values of k q will have 
uncorrelated values of k s for s ^ q. n From the Theorem just cited, fl22l) is 
an equality if and only if the {Si} from 1 to n are jointly statistically inde- 
pendent, a condition that cannot be satisfied for n > w^ep" Their condition 
quoted above seems to be the strictly weaker one that the key segments need 
only be pairwise statistically independent. In view of the well-known differ- 
ence between pairwise and complete statistical independence of a sequence of 
random variables, we feel justified in demanding a rigorous proof of how Eq. 
(22) may be "approximately" true under their weaker assumption. We have 
assumed that by the word 'uncorrelated' in the quotation above, Ahn and 
Birnbaum mean 'statistically independent' although this is not clear from pQ. 
Whatever their meaning of the term, we urge them to prove how and to what 
degree it leads to an 'approximate' satisfaction of the 'only if condition of 
Gallager's theorem that renders (T22"]) an equality. 

Therefore, the only conclusion on I(X. n K; Y n ) derivable from the analysis of 
[1] is that 

I(K n K; Y n ) < nU V n. (23) 

Using this in conjunction with Theorem 2 yields the following lower bound on 

N k > 2 H{K ^ + < 1 ' U ^ - 1. (24) 

If we choose to find the data length n ' un \Q\ty' at which the lower bound reads 
N k > 0, we find 

^unicity'^W/^" 1 )' (25) 

which is claimed in jl] to be the 'unicity distance' of ai], beyond which "Eve's 
entropy on the key will transition from linear decline to asymptotic decay by 
analogy to the unicity distance of a classical deterministic cipher..." It is also 
claimed that "Eve may have enough information to determine the key with 
high probability when n ^> ™' un j c jty'-" 

There are several things amiss with such claims. The fact that the linear 
decline of Eve's entropy on the key has already ended at nj eD has been noted. 
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In addition, the analogy with Shannon's random cipher does not exist. As 
stressed in Sections 2 and 3, for concrete ciphers, the only available results 
are lower bounds on Nk against which the analysis of pQ is no exception. As a 
matter of principle, a lower bound on Nk cannot prove insecurity of a cipher. If 
Ahn and Birnbaum wish to claim that Nk is indeed close to zero at n ' U nicity' ' 
they must show both the reasons why the bound of Theorem 2 is tight for ar] 
and also why I(X. n K; Y n ) = nil is a good approximation for an beyond n = 
n dep' Also, ^ is not claimed to be exactly zero (so the key is not determined 
with probability one - it is shown in Section 4.2 below that Nk for an is never 
exactly zero for any finite data length n under known-plaintext heterodyne 
attack and consequently also for the weaker ciphertext-only attack) - Ahn 
and Birnbaum need to estimate the probability with which Eve obtains the 
key correctly. As per the discussion of Sections 2 and 3, this probability can 
be determined for Shannon's random cipher but has never been done for any 
standard cipher, let alone an. This fact does not make all previous work in 
cryptography meaningless because the bulk of it is concerned with complexity- 
based security under specific attacks and not information-theoretic security 
which is under consideration here. Without such a calculation, a statement like 
"Eve may have enough information to determine the key with high probability 
when n ™' un icity'-" * s unfalsifiable - it does not satisfy the requirement of 
being a scientific claim over and above ([T]) without quantifying both how high 
the probability is and how much greater than ^' un j c j^y' n needs to be. 



4-2 Statistical and Known-Plaintext Attacks 



For general statistical attacks, i.e., those for which H(X. n ) < n, Ahn and 
Birnbaum claim that a simple additive stream cipher (ASC) is broken "with 
high probability" when 

n -H(X. n ) > \K\, (26) 



and, by comparison, at] is broken "with high probability" when 

n(U + l) -H(X n ) > \K\. (27) 

These assertions are again justified by analogy to Shannon's random cipher 
analysis, and are interpreted as implying that ar] is broken at smaller data 
lengths than the ASC because of the added factor of (U + 1) in equation (J2] 



As before, since the terms "high probability" and "^>" have no precise mean- 
ing, these claims are unfalsifiable until they are quantified. As with standard 
ciphers under many statistical attacks, by choosing n large enough, we can 
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drive the probability of finding the key as close to 1 as desired. This is the 
content of eq. (pQ), but the equations above ostensibly claim more than that. 
We contend that what they claim is not well-defined without quantitative 
meaning given to "high probability" and "^>" . 

Rigorous bounds, different from (1261) and (|27|) although similar in form, can 
be obtained from an application of our Theorem 2. For the ASC, we have 
trivially that I(X. n K; Y n ) < H(Y n ) < n. Substituting this into the RHS of 
Theorem 2 gives the lower bound 

N k > 2 H ^~ nD - 1, (28) 



which is just the HBB result. As we did for ciphertext-only attacks, setting 
the lower bound to zero gives the condition (compare ( 1261) ) 



n - H(X n ) > \K\ (29) 



that must be satisfied if N^ = 0. As such, this is simply a necessary condition 
for Nj, = and does not imply the latter. 

For arj, using Eq. f[2"2"j) in Theorem 2 and rewriting D in terms of H(X. n ) gives 
the lower bound 

Nk > 2 H ^ +H ^~ nU - 1. (30) 



Setting the RHS to zero, gives the necessary condition (compare ( !27l) ) 

nU - H(X. n ) > \K\ (31) 



for Nk = 0. It is not a sufficient condition for the latter, which, as we show 
below, is never true except at n = oo even for known-plaintext attacks. As is 
the case for all applications of Theorem 2, there is no proof that N^ approxi- 
mately equals the RHS of Eq. ( !30l which would be needed to make insecurity 
claims on its basis. Again, it is essential to provide estimates of the probability 
that the key is found correctly by Eve to prove insecurity. 

Indeed, there is no evidence that (25) is valid as an approximate estimate 
of 'unicity distance'. The numerical result quoted in pQ for the simulation 
of [U] yields a 'unicity distance' too small by a factor ~ 300, which shows 
U ~ 1 when (25) is used instead of U ~ 300. While such comparison has 
little meaning when the attack success probability is not specified, it surely is 
unreasonable to claim, as in p], that such a large discrepancy exists because 
of the suboptimal processing used in pTTj . 
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Intuitively, the measurement noise in ar] would make it more secure than an 
additive stream cipher instead of worse as claimed in [TJ at least for the case 
of known-plaintext attacks where H(X. n ) = 0. In this case, an ASC is broken 
with probability 1 at the nondegeneracy distance defined in |2J, which is 
just rid = \K\ for an LFSR. On the other hand, it is clearly not possible to pin 
down the seed key at this n with probability 1 in the case of arj. As a matter 
of fact, the true unicity point of arj using any ENC, i.e., the point where the 
key is determined with probability one, is infinite under even known-plaintext 
attacks. To see this, note that, irrespective of what ENC is, in the more exact 
continuous Gaussian-noise model of the noise Ri used in [Tj (as opposed to 
the wedge approximation used in [3]), there is always a non-zero probability, 
however small, that a Y n that is close to any given n-sequence of signal points 
on the coherent state circle may arise from any data sequence X ra and any 
running key and thus seed key K. Furthermore, a large fraction (in terms of 
probability) of such events for Eve occur without giving rise to any detection 
error for Bob. In particular, the close approximation to Ri consisting of a 
continuous probability distribution cut off at 90° on each side of the signal 
point Si would give zero error for Bob and infinite unicity distance because 
every allowed basis n-sequence is still possible given the ciphertext, albeit some 
are highly unlikely. The above argument shows that the true unicity point is 
not reached for any finite n. Together with the fact that lim^oo = 
proven in Section 1 we have that the unicity distance is infinite. This fact that 
Nk 7^ for any specified finite distance underscores the necessity of providing 
probability estimates to any claims that the system is broken at that distance. 
These estimates are not provided in [T] and seem thus far difficult to obtain, 
although some progress is currently being made by various research groups. 



5 Conclusion 

In conclusion, we have shown, both by arguing the non-existence of an analogy 
to Shannon's random cipher and by a direct analysis of their final claim (j2J), 
that the arguments of Ahn and Birnbaum do not establish the insecurity of 
arj. Rigorously true results similar in form to their expressions are derived 
as corollaries of the lower bound on (Theorem 2). It is noted that these 
results, being lower bounds, cannot in principle establish insecurity of any 
system. We also noted the lack of any estimates by Ahn and Birnbaum of the 
probability that arj is broken at the claimed distance (which they also did 
not clearly delimit) to be a serious loophole insofar as it makes their claim of 
insecurity unfalsifiable. 

There are other points mentioned in [1] that we disagree with but cannot 
get into in any detail here. One concerns the comparison of arj with DSR to 
an ASC, and another about the existence of a proven secure concrete BB84 
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cryptosystem. While the work in [T] does not throw light on the true security 
level of at], further efforts in this direction are possible and welcome. 



6 Added Comment 

In their response [12] to our Comment, Ahn and Birnbaum abandon the Shan- 
non random cipher analogy argument of their original paper [1] and repeat 
their other qualitative argument that PRNG outputs "will mimic those of a 
true random number generator". If that is the case, there is no need for all the 
work on cryptographic encryption. Given the previously known condition (1) 
of our Comment, the problem here is quantitative. For example, for a fixed 
data bit length n equal to the seedkey length under known-plaintext attack, 
a conventional cipher is broken with probability 1. If the bare at] is broken 
with probability ~ 1CT 4 irrespective of complexity, it is already a significant 
improvement. Since we have given intuitive as well as rigorous arguments on 
why these authors' main claim, our (2), is merely a lower bound that can 
yield no insecurity conclusion, its validity can only be established by rigorous 
quantitative reasoning the authors have not provided. 

They also give a simulation example for seedkey size = 13 with other fixed 
system parameters. It is not spelled out exactly how the reported simulation 
was carried out. In particular, we cannot assess whether or not the method 
of updating the eavesdropper's probabilities in the simulation uses any of the 
assumptions the simulation purports to validate. We do not comment on it not 
only for this reason but also because their original paper used only theoretical 
arguments to support their conclusion. These arguments remain the same, 
and our theoretical refutation still stands. The importance of addressing our 
theoretical refutation lies in the fact that a single numerical example cannot 
validate a general quantitative conclusion. It would indeed be interesting if 
a complete numerical study can be carried out for realistic key sizes to show 
the dependence of the results on the system parameters. However, such study 
appears exceedingly difficult due to the complexity involved. 

The authors do not dispute the unfalsifiability of their claim given by our (2) 
in the absence of meaning given to "~" and "<^C" . Regarding their claim given 
by (3) in our Letter, insofar as it is meant to say something over and above our 
(1), the alleged counter-example in their Reply does not make (3) falsifiable 
because the example does not satisfy (1). The issue could be easily resolved 
if these authors just define their symbols and give the success probability 
estimate, which they still have not done. There is no analogy between their 
claim and the examples they give, their (7) with tan a; ~ x and their (8). The 
elementary point to be made here is that the approximation error in those 
cases can be readily estimated rigorously on demand. In contrast, their main 
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result given by our (2) is merely a lower bound on He{K) - the crux of the 
matter is that the gap between He{K) and the right-hand side is unknown. 

We cannot go into here the other side issues raised by these authors in their 
Reply. We may just mention that the rigorous examination of unicity distance 
for given success probability under a given attack is possible and being pursued 
by us and other groups. 
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